We have had an almost 2 week break from Locky ransomware. This morning in UK we suddenly see the return. It is almost as if they have timed the new version to spam out on Thanksgiving day in USA , where the AV companies and security teams are off on their long weekend holiday. The next in the never ending series of downloaders from the Necurs botnet is an email with the subject of scanned from ( printer or scanner name) pretending to come from copier@ your own email address or company domain.
[...]
The new ransom note is called IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT
They use email addresses and subjects that will entice, persuade, scare or shock a recipient to read the email and open the attachment.
You, your email server or any device on your network has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
The subjects in this vary but are all copier or scanner related
Antivirus scan for e6715117fd6995fafe48a3a60a2b1275ef21a63f7878de2cc031c8f1a0e5d771 at 2017-11-23 10:12:48 UTC - VirusTotal
HybridAnalysis:
Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'image2017-11-22-5864621.vbs'
AnyRun demonstration:
image2017-11-22-5864621.vbs (MD5: A1F2D987ECA4CBAB526100778E6D01F2) - Interactive analysis - ANY.RUN
Full article to be found @ https://myonlinesecurity.co.uk/necu...-ransomware-via-fake-scanner-copier-messages/
See also:
Scarab Ransomware Pushed via Massive Spam Campaign
[...]
The new ransom note is called IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT
They use email addresses and subjects that will entice, persuade, scare or shock a recipient to read the email and open the attachment.
You, your email server or any device on your network has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
The subjects in this vary but are all copier or scanner related
- Scanned from Lexmark
- Scanned from HP
- Scanned from Canon
- Scanned from Epson
Antivirus scan for e6715117fd6995fafe48a3a60a2b1275ef21a63f7878de2cc031c8f1a0e5d771 at 2017-11-23 10:12:48 UTC - VirusTotal
HybridAnalysis:
Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'image2017-11-22-5864621.vbs'
AnyRun demonstration:
image2017-11-22-5864621.vbs (MD5: A1F2D987ECA4CBAB526100778E6D01F2) - Interactive analysis - ANY.RUN
Full article to be found @ https://myonlinesecurity.co.uk/necu...-ransomware-via-fake-scanner-copier-messages/
See also:
Scarab Ransomware Pushed via Massive Spam Campaign
Last edited:
